Tags: openbootdotdev/openboot.dev
Tags
fix: wrap generated scripts in main() for safe curl|bash piping When bash reads a script from a pipe (curl | bash), exec < /dev/tty at the top level redirects stdin away from the pipe mid-read, causing bash to lose the rest of the script and hang. Wrapping in main() forces bash to parse the entire script before executing, matching the pattern used by scripts/install.sh, rustup, and other curl|bash installers.
fix: reopen stdin from /dev/tty in generated install scripts (#9) Scripts served at /username/slug were missing the exec < /dev/tty fix that scripts/install.sh already had, causing "stdin is not a TTY" when run via curl|bash. Affects both public and private config install flows.
feat(api): include shell config and macOS prefs in config responses Both /[username]/[slug]/config and /api/configs/alias/[alias] endpoints now return shell (oh_my_zsh, theme, plugins) and macos_prefs fields parsed from the snapshot. This enables the CLI sync command to compare and apply shell and macOS preference changes.
fix: comprehensive security and bug fixes across auth, API, and frontend CRITICAL: - Fix XSS in highlightBash via escapeHtml before regex highlighting - Reject JWT tokens without exp claim (was bypassable with exp:0) - Add rate limiting, size cap, and error handling to brewfile parse HIGH: - Preserve existing username on GitHub re-login (prevent overwrite) - Clear OAuth state cookies on state mismatch (both providers) - Fix CLI approve race condition with atomic UPDATE claim + db.batch - Server-generate all device codes (remove client-supplied code path) - Fix open redirect in validateReturnTo via decodeURIComponent - Wrap GitHub callback in try/catch matching Google callback pattern - Hide unlisted configs from public profile pages - Check response.ok before reloading after deleteConfig - Fix packageDescs mutation (create new Map instead of mutating) - Add performance indexes on configs and cli_auth_codes MEDIUM: - Add updated_at to snapshot UPDATE query - Cap slug dedup loop at 100 attempts - Fix formatDate unconditional Z append for D1 date strings - Fix stale event?.currentTarget in ConfigDetail copy button - Migrate ThemeToggle from Svelte 4 on:click to Svelte 5 onclick - Remove dead starCount GitHub API fetch from home page - Add name/description length validation to config creation - Centralize RESERVED_ALIASES constant across hooks and API endpoints - Change logout from GET to POST (CSRF prevention) - Replace N+1 queries with JOIN in hooks.server.ts - Fix auth store checkPromise reset on fetch failure - Add opportunistic expired cli_auth_codes cleanup
fix: resolve snapshot upload, auth race condition, and add rate limiting
- Fix from-snapshot: convert string[] to typed {name,type}[] for validation
- Fix from-snapshot: respect visibility field from CLI instead of hardcoding
- Fix auth poll: atomic UPDATE prevents double device code redemption
- Add rate limiting (30/min per IP) to homebrew and npm search endpoints
- Add 26 missing package metadata entries to align with CLI catalog
- Fix install count errors: log instead of silently swallowing
- Fix expires_at: return null instead of undefined when token has no expiry
- Remove empty index.ts barrel file
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
docs: update CLI install docs for alias-first resolution Document that `openboot install <word>` resolves aliases first before falling back to username/default. Update cli-reference, config-options, and custom-configs docs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
PreviousNext